CVE-2024-8903
📋 TL;DR
This vulnerability allows local users with standard privileges to manipulate active protection service settings in Acronis Cyber Protect Cloud Agent due to unnecessary privilege assignments. It affects Windows and macOS installations before build 38565. Attackers could potentially disable security features they shouldn't have access to.
💻 Affected Systems
- Acronis Cyber Protect Cloud Agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could disable critical security protections, potentially allowing malware execution or system compromise that would otherwise be blocked.
Likely Case
Malicious local users or malware with user-level privileges could disable specific security controls, reducing the system's protection against other threats.
If Mitigated
With proper access controls and monitoring, impact is limited to local privilege escalation attempts that can be detected and contained.
🎯 Exploit Status
Exploitation requires local user access but no special privileges. The vulnerability is in privilege assignment logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 38565 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-7510
Restart Required: Yes
Instructions:
1. Update Acronis Cyber Protect Cloud Agent to build 38565 or later. 2. Restart the system or agent service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Local User Access
allLimit local user access to systems running vulnerable Acronis agents to trusted personnel only.
Monitor Agent Configuration Changes
allImplement monitoring for unauthorized changes to Acronis agent protection settings.
🧯 If You Can't Patch
- Implement strict access controls to limit who has local login access to affected systems
- Deploy additional endpoint security controls to compensate for potential protection bypass
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Protect Cloud Agent version in the agent interface or system logs. Versions before build 38565 are vulnerable.Check Version:
On Windows: Check Acronis agent interface or Program Files\Acronis\Agent\version.txt. On macOS: Check /Applications/Acronis Cyber Protect Cloud Agent.app/Contents/Info.plist or agent interface.Verify Fix Applied:
Verify agent version shows build 38565 or later and test that standard users cannot modify protection settings.📡 Detection & Monitoring
Log Indicators:
- Unauthorized attempts to modify Acronis protection settings
- Changes to agent configuration by non-admin users
- Agent service restarts or configuration resets
Network Indicators:
- Unusual agent communication patterns after local user login
SIEM Query:
source="acronis_agent" AND (event_type="config_change" OR event_type="protection_disabled") AND user!="SYSTEM" AND user!="Administrator"